Ubuntu SFTP-Only Account How-to
This guide will show you how to setup Linux user accounts restricted to using SFTP only. These accounts will be unable to run arbitrary shell commands on the server or access/create files outside their own home directories. The steps in this guide were tested on Ubuntu Server 12.04 with version 5.3p1 of the OpenSSH daemon, obtained from the Ubuntu software repositories.Although this guide is aimed at Ubuntu users, it should also be applicable to other flavors of Linux as well. The most important factor to consider is the version of OpenSSH you have installed on your system. Version 5.0 or above is recommended as these versions support the OpenSSH ChrootDirectory configuration option that we’ll be using here.
Right, that’s enough of the rambling, let’s get to it…
Step 0 – Make sure /home is owned by ROOT
sudo chown root:root /home/
Step 1- Create a Group for the Restricted Accounts
For the sake of this example, we’ll create a new group called ‘sftponly‘ It’s best to use the addgroup command to do this, as it takes care of allocating an un-used GID (Group Identifier) to the new group for us:
sudo addgroup sftponly
Step 2- Create the User Account
For examples sake, we’ll create a user account with the username ‘raq3785‘ , set his home directory as ‘/home/raq3785‘ and give him the password ‘pass‘
We’ll use the useradd command here as it takes care of assigning an unallocated UID to the user account for us.
Creating the User Account:
sudo useradd -d /home/raq3785/bandrplus.com -s /usr/lib/sftp-server -M -N -g sftponly raq3785
Setting the Password:
sudo passwd raq3785
sudo adduser raq3785 sftponly
Step 3- Setup the users home directory
Right, lets create a home for raq3785and give him somewhere to put his files. Enter the commands below one by one on separate lines:
sudo mkdir -p /home/raq3785/bandrplus.com sudo chown root:sftponly /home/raq3785 sudo chown raq3785:sftponly /home/raq3785/bandrplus.comsudo usermod raq3785 -d /bandrplus.com
sudo chmod 755 /home/raq3785 sudo chmod 755 /home/raq3785/bandrplus.com
The first line creates the ‘/home/raq3785‘ and /home/raq3785/bandrplus.com‘ directories.
The second line sets the owner and group of the /home/raq3785 directory to root. This is an important step as the SSH server will complain (and refuse to let our restricted user login) if the root of the users home directory is NOT owned by root.
You should be able to login to you account with a username and password when you’ve completed all the steps in this guide, but it’s recommended you use the public key method for authentication as it is considerably more secure.
If you already have a private and public key you would like to use,
then all you need to do is to upload a copy of the public key to a
subdirectory named .ssh in the users home directory.
Assuming that our public key file is named ‘raq3785.pub‘, we would issue the following commands to setup public key authentication for the raq3785 user account.
cd /home/raq3785/.ssh cat raq3785.pub >> authorized_keys chmod 700 authorized_keys chown raq3785:sftponly authorized_keys rm -r raq3785.pub
Step 4- Add an entry to /etc/shells
Open the file sudo vi /etc/shells as root in your favorite text-editor, and add the following line at the bottom:
/usr/lib/sftp-server
Step 5- Amend the SSH Server Configuration file
Open the SSH server configuration file as root to start making changes. On a Ubuntu system, this file is usually
sudo vi /etc/ssh/sshd_config
this may differ with other distributions, so check beforehand.
Find the line Subsystem sftp /usr/lib/openssh/sftp-server and change it to read:
Subsystem sftp internal-sftp
Find the line UsePam yes and comment it:
Now add the following lines at the bottom of the file:
Match group sftponlyChrootDirectory /home/%u
# ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Match
The line Match group sftponly tells the SSH server to apply the configuration options below it to all members of the ‘sftponly‘ system group.
The line (ChrootDirectory %h tells the SSH server to confine a user to their home directory only (The home directory is specified here using ‘%h‘)
The ‘X11Forwarding no‘ and ‘AllowTcpForwarding no‘ lines prevent the user from, respectively, accessing graphical applications on the server and from connecting to other systems via ours.
The ‘ForceCommand internal-sftp ‘ line prevents the user from executing their own commands and forces them to use the SFTP server component of the SSH server by executing the ‘internal-sftp‘ command when the user logs in.
More information on the various SSH server configuration options available and what they do can be found here.
Step 6- Restart the SSH Server
Ubuntu/Debian users can issue the following command to restart the SSH server:
sudo /etc/init.d/ssh restart
That’s it. You should be able to login using the ‘sftp‘ command with either the username and password you setup or using your private key (if you set this up in Step 2.) Using the setup outlined here, you would only have to repeat steps 1-3 to setup new accounts.
Hope this is useful to someone.
Should you run in any problems, check /var/log/syslog
and /var/log/auth.log
for details. Runssh
or sftp
with the -vvv
option for debugging messages. For sftp
, the
option must appear before the host as in sftp -vvv user@host
.
=======================================================================
For extra security, restrict the users who can login. If you forget to add SFTP users to the sftp group, you give them free shell access. Not a nice scenario. Because SSH cannot combine AllowUsers andAllowGroups (a login has to fulfill both rules), you've to create an additional group, say ssh-users. Add the users who are allowed to login (youruser below) over SSH:
sudo groupadd ssh-users sudo usermod -a -G ssh-users youruser
And add the next line to sudo vi /etc/ssh/sshd_config
AllowGroups ssh-users sftponly
Now proceed with modifying the permissions of the users home directory to allow for chrooting (example user raq3785):
sudo chown root:sftponly /home/raq3785 sudo chmod 755 /home/raq3785
sudo chmod 755 /home/raq3785/bandrplus.com
Create a directory in which raq3785 is free to put any files in it:
sudo mkdir /home/raq3785/bandrplus.com
sudo chown raq3785: /home/raq3785/bandrplus.com
sudo chmod 755 /home/raq3785/bandrplus.com
==============================================================
==============================================================
==============================================================
### cd /home/apache/http
### ln -s /home/raq3785/bandrplus.com/ /home/apache/http/bandrplus.com
### ls -l | grep bandrplus.com
lrwxrwxrwx 1 root root 28 Feb 4 13:53 bandrplus.com -> /home/raq3785/bandrplus.com/
chown -R apache:apache /home/apache/http/bandrplus.com
chown apache:apache /home/apache/http/bandrplus.com
ln -s /home/raq3785/bandrplus.com/* /home/apache/http/bandrplus.com
— =======================================================
— =======================================================
— =======================================================
Expected results for user::::
### ls -l / | grep home
drwxr-xr-x 6 root root 4096 Feb 4 13:10 home
### ls -l /home | grep raq3785
drwxr-xr-x 4 root sftponly 4096 Feb 4 13:34 raq3785
### ls -l /home/raq3785/
total 8
drwxr-xr-x 2 raq3785 sftponly 4096 Feb 4 13:36 bandrplus.com
drwxr-xr-x 4 raq3785 sftponly 4096 Feb 4 13:27 www
### sudo cat /etc/group | grep sftp
sftponly:x:1002:apache,root,raq3785
sftpguy:x:1004:
### sudo cat /etc/passwd | grep raq3785
raq3785:x:1002:1002::/bandrplus.com:/usr/lib/sftp-server
— =======================================================
sudo service ssh start
sudo service ssh restart
sudo service ssh stop
— =======================================================